Password's rotten core not complexity but reuse

SANS Institute's list of the top 7 human risks in computing includes phishing, passwords, and devices.
Written by John Fontana, Contributor

It's not how sophisticated one makes their password, but how many variations they have — or don't have — that make them security risks.

In his look at the top seven human risks associated with computing, Lance Spitzner, director of the "Securing The Human" program at the SANS Institute, listed password reuse as number two on the list.

"With passwords, the surprise we found was not password complexity, but was people using the same password for several different accounts," said Spitzner. "Once the bad guys got it, it was very simple to move around [the network]."

Online password reuse also makes it easy for hackers to use one stolen credential at many sites, which is what happened to Best Buy customers last year.

The reuse issue is the reason hacked companies tell people to change their passwords not only on the hacked site, but on other sites they visit. This is especially true now that hackers routinely post stolen user names and passwords online, which can mean that multiple accounts get compromised months or even years beyond the initial password theft.

Spitzner said risk happens as soon as humans touch keyboards.

"People are no more than another OS — the human OS — and we have done nothing to secure this OS," he said. "All the services are on by default and this OS is happy to share."

But Spitzner was not calling people out as "stupid or un-trainable"; he said the issue is that we've done nothing to change our behavior.

"People underestimate risk, they go to websites, they download files, they insert USB sticks," he said.

His list of the seven top human risks are:

  • Phishing

  • Password reuse across sites

  • Not patching or updating devices (BYOD)

  • Indiscriminate use of mobile media

  • Sharing too much personal/work information on social networking sites

  • Lack of situational awareness

  • Accidental disclosure/loss of information.

Spitzner said that most organizations suffer from a subset of this list. In his position at SANS, he instructs companies to do a risk analysis and then focus on their top risks.

"Don't overwhelm people with all of these," he said. "Teach the fewest topics that have the greatest impact."

One technique Spitzner suggested is creating training modules that can be reused over time to keep the training fresh in people's minds. And create content people can consume on their own time, he said.

"A key thing I have learned is not what you teach, but how," he said. "Don't focus on how awareness affects the corporation, focus on how it affects people at home. Then security becomes part of their DNA."

To listen to Spitzner's entire webcast, Mitigating the top Human Risks, click here.

Editorial standards